Overview

NTLM relay attacks intercept and forward NTLM authentication messages to gain unauthorized access to network resources. Attackers use tools like Responder for LLMNR/NBT-NS poisoning and ntlmrelayx for credential relay. This skill detects relay activity by querying Windows Security Event 4624 (successful logon) for type 3 network logons with NTLMSSP authentication, identifying mismatches between WorkstationName and source IpAddress, detecting rapid multi-host authentication from single accounts, and auditing SMB signing configuration across domain hosts.

When to Use

When investigating security incidents that require hunting for ntlm relay attacks
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with Windows Event Log access or exported logs
Windows Security audit logging enabled (Event ID 4624, 4625, 5145)

Hunting For Ntlm Relay Attacks

Hunting For Ntlm Relay Attacks

Overview

When to Use

Prerequisites

Key Detection Areas

Output

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security